fix(tunnel): propagate half-closed TCP connections #259
Conversation
This change ensures that tunneled TCP connections propagate shut downs when they occur, allowing the opposite party to be signaled appropriately. A TCP connection can be "half-closed" when `A` shuts down `A->B` by sending a FIN to `B`, and `B` responds with an ACK. The connection becomes "fully-closed" when the same procedure is followed for the `A<-B` direction. When a TCP connection is half-closed in the `A->B` direction, data may continue to flow in the `A<-B` direction. This signaling exists as a basic function of the TCP protocol, allowing either party to indicate that they are done sending data, and that their peer can finish up as they please. Data can continue to flow in the opposite direction until they are ready to shut down their side of the connection. When cloud-provider-kind (`t`) acts as a tunnel for TCP connections between `A` and `B`, we have two connections `A-t` and `t-B`, and four flows: - `A->t` and `t->B` (representing `A->B`). - `A<-t` and `t<-B` (representing `A<-B`). Prior to this change, when `A` shut down `A->t`, the tunnel would not shut down `t->B`, leaving `A-t` half-closed and `B-t` not closed in any way. The same is true for the opposite direction, as well. obviously prevents `B` from knowing After this change, when `A` shuts down `A->t`, cloud-provider-kind immediately shuts down `t->B`. The same is true when `B` shuts down `t<-B`, `A<-t` is immediately shut down. Flow directions are maintained independently from one-another. Note: this change effectively restricts tunneled connections to only supporting `udp`, `tcp`, `tcp4`, and `tcp6` protocols. As far as I can tell, docker containers will not expose other protocol types (like unix domain sockets).
k8s-ci-robot
added
the
cncf-cla: no
|
Welcome @justfalter! |
k8s-ci-robot
added
the
needs-ok-to-test
|
Hi @justfalter. Thanks for your PR. I'm waiting for a kubernetes-sigs member to verify that this patch is reasonable to test. If it is, they should reply with Once the patch is verified, the new status will be reflected by the I understand the commands that are listed here. Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. |
k8s-ci-robot
added
size/M
|
/ok-to-test Thanks, just curious, how did you find out about this problem? is envoy doing the right thing or do we also need to tune the envoy config? |
k8s-ci-robot
added
ok-to-test
I have a grpc service hosted in a pod, and access it via cloud-provider-kind. I found that the client-side of a grpc server-stream was not getting an io.EOF when the service's pod was restarted. The client side of the server stream would remain connected to the tunnel without tearing down or erroring ... it'd just sit there, waiting for more server-provided messages to show up.
I'm guessing that envoy is probably doing things properly as it has several orders of magnitude more users that cloud-provider-kind. |
I had an incidence some months ago with envoy because of problems with half closed connections, related to this istio/istio#43297 , that is why I was asking if with current fix it works for you. We solved it setting a timeout for idle connections, but if this is working for you I prefer to keep the defaults |
|
/kind bug Thanks |
k8s-ci-robot
added
the
lgtm
|
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: aojea, justfalter The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
k8s-ci-robot
added
the
approved
This change ensures that tunneled TCP connections propagate shut downs when they occur, allowing the opposite party to be signaled appropriately.
A TCP connection can be "half-closed" when
Ashuts downA->Bby sending a FIN toB, andBresponds with an ACK. The connection becomes "fully-closed" when the same procedure is followed for theA<-Bdirection. When a TCP connection is half-closed in theA->Bdirection, data may continue to flow in theA<-Bdirection.This signaling exists as a basic function of the TCP protocol, allowing either party to indicate that they are done sending data, and that their peer can finish up as they please. Data can continue to flow in the opposite direction until they are ready to shut down their side of the connection.
When cloud-provider-kind (
t) acts as a tunnel for TCP connections betweenAandB, we have two connectionsA-tandt-B, and four flows:A->tandt->B(representingA->B).A<-tandt<-B(representingA<-B).Prior to this change, when
Ashut downA->t, the tunnel would not shut downt->B, leavingA-thalf-closed andB-tnot closed in any way. The same is true for the opposite direction, as well.After this change, when
Ashuts downA->t, cloud-provider-kind immediately shuts downt->B. The same is true whenBshuts downt<-B,A<-tis immediately shut down. Flow directions are maintained independently from one-another.Note: this change effectively restricts tunneled connections to only supporting
udp,tcp,tcp4, andtcp6protocols. As far as I can tell, docker containers will not expose other protocol types (like unix domain sockets).